Envoy is vulnerable to unauthorised access vulnerability. This occurs when parsing HTTP/1.x header values because envoy does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules and gain access to unauthorized resources.
access.redhat.com/errata/RHSA-2019:0741
access.redhat.com/security/updates/classification/#important
github.com/envoyproxy/envoy/issues/6434
github.com/envoyproxy/envoy/security/advisories/GHSA-x74r-f4mw-c32h
groups.google.com/forum/#!topic/envoy-announce/VoHfnDqZiAM
www.envoyproxy.io/docs/envoy/v1.9.1/intro/version_history